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We  demonstrate  high-rate  randomized  data-encryption  through  optical  fibers  using  the  inher¬ 
ent  quantum- measurement  noise  of  coherent  states  of  light.  Specifically,  we  demonstrate  650Mbps 
data  encryption  through  a  lOGbps  data-bearing,  in-line  amplified  200km-long  line.  In  our  proto¬ 
col,  legitimate  users  (who  share  a  short  secret-key)  communicate  using  an  M-ry  signal  set  while 
an  attacker  (who  does  not  share  the  secret  key)  is  forced  to  contend  with  the  fundamental  and 
irreducible  quantum- measurement  noise  of  coherent  states.  Implementations  of  our  protocol  using 
both  polarization-encoded  signal  sets  as  well  as  polarization-insensitive  phase-keyed  signal  sets  are 
experimentally  and  theoretically  evaluated.  Different  from  the  performance  criteria  for  the  cryp¬ 
tographic  objective  of  key  generation  (quantum  key-generation),  one  possible  set  of  performance 
criteria  for  the  cryptographic  objective  of  data  encryption  is  established  and  carefully  considered. 
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I.  INTRODUCTION 

For  more  than  twenty  years,  physicists  and  engineers 
have  investigated  quantum-mechanical  phenomena  as 
mechanisms  to  satisfy  certain  cryptographic  objectives. 

Such  objectives  include  user  authentication,  bit  commit¬ 
ment,  key  generation,  and  recently,  data  encryption.  To 
date,  the  cryptographic  objective  most  considered  in  the 
literature  has  been  key  generation.  In  key  generation, 
two  users,  who  initially  share  a  small  amount  of  secret 
information,  remotely  agree  on  a  sequence  of  bits  that  is 
both  larger  than  their  original  shared  information  and  is 
known  only  to  them.  The  newly  generated  bits  (keys) 
are  then  used  to  publicly  communicate  secret  messages 
over  classical  channels  by  driving  data  encrypters  like 
the  infbrmation-theoretically  perfect  one-time  pad  [1]  or 
more  efficient  (but  less  secure)  encrypters,  such  as  the 
Advanced  Encryption  Standard,  where  security  is  de¬ 
scribed  in  terms  of  complexity  assumptions  yj  y] . 

Several  approaches  to  key  generation  using  quantum 
effects  have  been  proposed  and  demonstrated.  The  most 
famous  of  these  protocols,  the  BB84  protocol  Q  and 
the  Ekert  protocol  ^  have  enjoyed  considerable  theo¬ 
retical  consideration  as  well  as  experimental  implemen¬ 
tation  HOlls].  A  major  technical  limitation  of  the  BB84 
(Ekert)  protocol  is  that  the  achievable  key-generation 
rate  (more  importantly,  the  rate-distance  product)  is  rel¬ 
atively  low  due  to  the  protocol’s  requirement  for  single¬ 
photon  (entangled-photon)  quantum  states.  This  re¬ 
quirement  is  a  burden  not  only  in  the  generation  of  such 
states,  but  also  in  that  such  states  are  acutely  susceptible 
to  loss,  are  not  optically  amplifiable  (in  general),  and  are 
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difficult  to  detect  at  high  rates.  Furthermore,  because  the 
received  light  must  be  detected  at  the  single-photon  level, 
integration  of  the  protocol  implementations  into  today’s 
wavelength-division-multiplexed  (WDM)  fiber-optic  in¬ 
frastructure  is  problematic  because  cross-channel  isola¬ 
tion  is  typically  no  better  than  30dB. 

Recently,  we  have  demonstrated  a  new  quantum  cryp¬ 
tographic  scheme,  based  on  Yuen’s  KCQ  approach  i  ,  in 
which  the  inherent  quantum  noise  of  coherent  states  of 
light  is  used  to  perform  the  cryptographic  service  of  data 
encryption  ulJ|ll[.  Unlike  single-photon  states,  coher¬ 
ent  states  (of  moderate  average-energy  level)  are  easily 
generated,  easily  detected,  and  are  optically  amplifiable, 
networkable,  and  loss  tolerant.  Note  that  key  generation 
and  data  encryption  are  two  different  cryptographic  ob¬ 
jectives  with  different  sets  of  criteria  by  which  to  judge 
performance — a  direct  comparison  between  the  two  is  not 
appropriate. 

In  our  scheme,  legitimate  users  extend  a  short,  shared 
secret-key  by  using  a  publicity  known  deterministic  func¬ 
tion.  The  transmitter  uses  the  extended  key  to  select  a 
signal  set  for  each  transmitted  bit  such  that  the  legiti¬ 
mate  receiver,  using  the  same  extended  key,  is  able  to 
execute  a  simple  binary-decision  measurement  on  each 
bit.  An  eavesdropper,  on  the  other  hand,  who  does  not 
possess  the  secret  key,  is  subject  to  an  irreducible  quan¬ 
tum  uncertainty  in  each  measurement,  even  with  the  use 
of  ideal  detectors.  This  uncertainty  results  in  randomiza¬ 
tion  of  the  eavesdropper’s  observations,  thereby  realizing 
a  true  randomized  cipher  which  effectively  limits  the 
eavesdropper’s  ability  to  decipher  the  transmitted  mes¬ 
sage.  This  randomization  is  “free”  in  that  it  does  not  re¬ 
quire  any  additional  action  on  the  part  of  the  transmitter 
in  contrast  to  other  randomized  ciphers  HI  Hi  ,  where 
active  randomization  of  the  signal-set  is  required  by  the 
transmitter.  Our  scheme,  running  at  data-encryption 
rates  up  to  650Mbps,  uses  off-the-shelf  components  and 
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is  compatible  with  today’s  optical  telecommunications 
infrastructure.  This  paper  is  organized  as  follows:  in 
section  on  we  outline  our  quantum-noise  protected  data- 
encryption  protocol  (call  the  ay  protocol),  in  section ITTTI 
we  address  issues  of  security  and  performance,  and  in 
section  ITVl  we  summarize  our  experimental  results. 

II.  DATA  ENCRYPTION  PROTOCOL 

We  have  implemented  two  versions  of  our  quantum- 
noise  protected  data-encryption  protocol  using  dif¬ 
ferent  signal  sets — one  using  polarization  states  mi 
(polarization-mode  scheme)  and  the  other  using  phase 
states  mm  (time- mode  scheme).  In  both  implemen¬ 
tations,  the  fundamental  and  irreducible  measurement 
uncertainty  of  coherent  states  is  the  key  element  giving 
security.  In  the  polarization-mode  scheme,  the  two-mode 
coherent  states  employed  are 

=  \a)x®\aei9-)y,  (1) 

|*W>  =  \a)x  ®  \aei^m+7r'>)y,  (2) 

where  \a)  is  a  coherent  state,  =  tt m/M,  m  E 
{0, 1,  2, ...,  (M  — 1)},  M  is  odd,  and  the  subscripts  x  and  y 
indicate  the  two  orthogonal  polarization  mode- functions. 
Viewed  on  the  Poincare  sphere,  these  2 M  polarization 
states  form  M  bases  that  uniformly  span  a  great  circle 
as  shown  in  Fig.  ^top).  In  the  time- mode  scheme,  the 
single-mode  coherent  states  employed  are 

l*&}>  =  (3) 

=  |  ae^+y,  (4) 

where  again  0m  =  7rm/M,  m  E  {0, 1,  2, ...,  (M  —  1)},  and 
M  is  odd.  These  2 M  states  form  M  antipodal-phase 
pairs  (bases)  that  uniformly  span  the  phase  circle,  as 
shown  in  Fig.  [IJbottom). 

In  both  schemes,  the  transmitter  (Alice)  extends  an 
s-bit  secret  key,  K,  to  a  (2s  —  l)-bit  pseudo-random 
extended- key,  K7,  using  a  publicly  known  s-bit  linear 
feedback  shift-register  2]  (LSFR)  of  maximal  length. 
The  extended-key  is  grouped  into  continuous  disjointed 
r-bit  blocks  and  then  passed  through  an  invertible  r-bit- 
to-r-bit  deterministic  mapping  function,  referred  to  as 
a  “mapper,”  resulting  in  running-keys,  R,  where  r  = 
Int[log2M]  and  s  r.  The  mapper,  which  is  publicly 
known,  helps  to  distribute  an  attacker’s  measurement 
uncertainty  throughout  each  running-key.  Without  the 
use  of  a  mapper,  an  attacker’s  measurement  uncertainty 
would,  the  majority  of  the  time,  obscure  just  a  the  least- 
significant  bits  of  each  r-bit  running-key  thereby  leaving 
most  of  the  r  bits  clearly  identifiable.  Also,  note  that  an 
LFSR  is  just  one  of  many  of  functions  that  the  users  can 
use  to  extend  K  into  K'.  The  reason  LFSRs  are  used 
in  these  experiments  is  because  they  are  mathematically 
simple  to  describe  which  could  be  useful  when  quantify¬ 
ing  the  precise  level  of  security  provided  by  ay. 
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FIG.  1:  Top:  M  pairs  of  orthogonal  polarization  states  uni¬ 
formly  span  a  great  circle  of  the  Poincare  sphere;  Bottom:  M 
pairs  of  antipodal  phase  states  uniformly  span  a  phase  circle. 


Depending  on  the  data  bit  and  an  instantiation  of 
the  running- key  R,  one  of  the  states  in  Eqs.  O  [©] 
or  ©[<©]  is  transmitted  where  m  is  the  decimal  repre¬ 
sentation  of  R.  Specifically,  for  the  polarization-mode 
scheme,  if  m  is  even  then  (0,1)  —>  (|T^),  |T^))  and 
if  m  is  odd  then  (0,1)  — ►  (|T^),  |\E^)).  This  re¬ 
sults  in  the  logical  bit  mapping  of  the  polarization  states 
on  the  Poincare  sphere  to  be  interleaved  0, 1,0, 1, ...,  as 
shown  in  Fig.  ©top).  The  time-mode  scheme  is  sim¬ 
ilarly  organized  but  slightly  more  complicated  in  that 
the  data  bits  are  defined  differentially  (differential-phase- 
shift  keying,  DPSK).  Specifically,  if  m  is  even,  then  the 

DPSK  mapping  is  (0,7r)  ->  (l^mk  |^m  )),  and  (0,7r)  —*• 
(|4/mk  I 'I'm'*))  for  m  odd.  If  we  relabel  the  states  cor- 
responding  to  DPSK  phases  of  “0”  and  “7 r”  as  (i  and 
z/,  respectively,  then  logical  zero  is  mapped  to  |T^) 
(|^m^))  if  the  previously  transmitted  state  was  from 
the  set  {|^)}  ({|*&}  )})  and  logical  one  is  mapped 
to  |^})  (1^  ))  if  the  previously  transmitted  state  was 
from  the  set  ({|T^)}).  This  results  in  the  map¬ 

ping  of  the  symbols  on  the  phase  circle  to  be  interleaved 
/i,  z/,  /i,  z/, ...,  as  shown  in  Fig.  ^bottom). 

At  the  receiving  end,  the  intended  receiver  (Bob) 
uses  the  same  s-bit  secret  key  and  LFSR/mapper  to 
apply  unitary  transformations  to  his  received  quantum 
states  according  to  the  running- keys.  These  transforma¬ 
tions  correspond  to  polarization-state  rotations  for  the 
polarization-mode  scheme,  and  phase  shifts  for  the  time¬ 
mode  scheme — in  either  case  the  transmitted  M-ry  signal 
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set  is  reduced  to  a  binary  signal-set.  The  resulting  states 
under  measurement,  depending  on  the  logical  bit,  are 


l^(a)>'  =  \r)a)x  0  \rja}y,  (5) 

I  ^{b)Y  =  \m)x®\-m)y,  (6) 

for  the  polarization-mode  scheme  and 

l*(a)}'  =  M,  (7) 

\9W)'  =  \-Va),  (8) 


for  the  time  mode  scheme,  where  77  is  the  channel  trans¬ 
missivity.  For  both  schemes  the  states  are  then  demodu¬ 
lated  and  differentially  detected.  Specifically,  a  fixed  7r/4 
polarization  rotation  on  the  states  in  the  polarization¬ 
mode  scheme  results  in  the  detected  states 

|^(o)>  =  \V2vu)x®  |0>y,  (9) 

|*(b)>  =  \0)x®\V2Va)y,  (10) 

whereas  temporally-asymmetric  interferometry  in  the 
time-mode  implementation  results  in  the  detected  states 

|$(a))  =  |/?a)i  0  |0>2,  (11) 

|$(b))  =  1 0)  1  0  \r/a)2.  (12) 

An  important  feature  to  note  is  that  Bob  does  not  re¬ 
quire  high  precision  in  applying  decryption  transforma¬ 
tions  to  a  transmitted  bit.  While  the  application  of  a 
slightly  incorrect  polarization/phase  transformation  re¬ 
sults  in  a  larger  probability  of  error  for  the  bit,  it  does 
not  categorically  render  a  bit  to  be  in  error.  For  small 
perturbations  to  the  polarization/phase  rotation,  the  ma¬ 
jority  of  the  signal  energy  stays  in  one  of  the  two  detec¬ 
tion  modes.  The  same  applies  to  Bob’s  detector  noise; 
while  an  ideal  detector  allows  for  optimized  performance, 
a  noisy  detector  does  not  limit  Bob’s  decryption  ability 
beyond  an  increased  probability  of  bit  error. 

A  high-level  block  diagram  of  the  otr\  protocol  is  pro¬ 
vided  in  Fig.  0  Note  that  some  elements  of  our  pro¬ 
tocol  that  help  to  protect  the  secret  key  against  attack 
have  been  intentionally  omitted  from  this  description  for 
the  purpose  of  clarity.  These  omitted  elements  are  men¬ 
tioned  in  the  following  section  and  are  further  described 
in  Ref.  P. 


III.  SECURITY 

As  stated  in  the  introduction,  key  generation  and 
data  encryption  are  different  cryptographic  objectives 
and,  therefore,  have  different  sets  of  criteria  by  which 
to  evaluate  performance.  The  delineation  between  key 
generation  and  data  encryption  is  somewhat  confused 
by  terminology.  Because  keys  procured  by  a  key- 
generation  protocol  are  usually  assumed  to  drive  deter¬ 
ministic  encrypters,  the  terms  “quantum  key-generation” 


and  “quantum  data-encryption”  are  sometimes  used  in¬ 
terchangeably.  This  easily  leads  to  confusion  in  that  (a) 
there  are  potential  uses  for  the  generated  keys  beyond 
data  encryption,  and  (b)  there  are  methods  of  realizing 
quantum-based  data-encryption  without  key  generation. 

In  quantum  key-generation,  a  necessary  (but  not  suf¬ 
ficient)  condition  that  must  be  satisfied  is 

H(X | YE,  K)  -  H(X | Yb,  K)  -  H( K)  >  0,  (13) 

where  X  is  a  classical  n-bit  random  vector  describing 
the  transmitted  bits,  YE  and  YB  are  77,-bit  vectors  de¬ 
scribing  the  observations  of  an  attacker  (Eve)  and  Bob, 
respectively;  K  is  an  s-bit,  previously  shared  secret  be¬ 
tween  Alice  and  Bob  that  might  become  public  on  com¬ 
pletion  of  the  protocol,  and  H(-)  is  the  Shannon  entropy 
function.  Note  that  while  often  omitted  in  descriptions 
of  the  BB84  and  Ekert  protocols,  both  schemes  require 
a  secret  key  K  for  the  purpose  of  message  authentica¬ 
tion.  Also  note  that  the  H{ K)  term  in  Eq.  (1131)  may  be 
omitted  if  both  a)  information  about  K  is  never  publicly 
announced,  and  b)  K  remains  secret  even  when  under  a 
general  attack  (as  in  some  of  Yuen’s  KCQ  key-generation 
protocols). 

The  mathematical  definition  of  iL(X|Y),  to  be  read  as 
“the  uncertainty  of  X  given  Y,”  is  given  by 

H{X  |Y)  =  -J>(X  =  x,  Y  =  y) 

x,y 

x  logp(X  =  x|Y  =  y),  (14) 

which,  with  application  of  Bayes’  theorem  and  the  Law 
of  Total  Probability,  becomes 


H(X  |Y)  = 


-  =  XMY  =  ylx  =  x) 

x-y 


x  log 


p(X  =  x)p(Y  =  y|X  =  x)  - 
.EX'P(x  =  x')p(Y  =  y|X  =  x')_  ' 

(15) 


The  conditional  probability  distribution  p(Y|X)  is  com¬ 
pletely  and  uniquely  specified  by  the  probability  distribu¬ 
tion  of  the  secret  key  p(K),  the  probability  distribution  of 
the  plaintext  message  p(X),  and  the  encryption  function 
that  takes  X  to  Y  =  Ek(X).  While  Ek(X)  is  usually 
assumed  known  to  the  attacker  via  the  Kerckhoff  assump¬ 
tion ,  it  is  important  to  emphasize  that  the  calculation  of 
iL(X|Y)  also  depends  on  the  probability  distributions 
p( K)  and  p(X)  according  to  Eve.  This  means  that  Eve’s 
conditional  entropy  iJ(X|Y)  may  change  if  Eve’s  proba¬ 
bility  distribution  p(X)  changes  due  to  the  acquisition  of 
some  side-information  (such  as  the  language  of  the  plain¬ 
text  message). 

For  the  cryptographic  objective  of  data  encryption,  be 
it  classical  or  quantum-noise-protected,  some  relevant 
information-theoretic  quantities  are: 


ff(X|YB,K), 

(16) 

H(X\Ye), 

(17) 

H(KIYe), 

(18) 
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FIG.  2:  Summary  of  the  quantum-noise  protected  data  encryption  protocol.  In  our  experiments,  the  “pseudo-random  key- 
extender”  is  implemented  by  a  maximal- length  LFSR  and  “r-bit-to-r-bit  mapping  function” . 


where  X  is  the  n-bit  transmitted  message  (plaintext), 
Yb  and  YE  are  Bob’s  and  Eve’s  n-bit  observations  of 
the  encrypted  plaintext  (ciphertext),  and  K  is  the  5-bit 
secret  key  shared  by  the  legitimate  users.  In  words,  these 
quantities  describe  i)  the  error  rate  for  the  legitimate 
users,  ii)  the  secrecy  of  the  data  bits  when  under  attack, 
and  iii)  the  secrecy  of  the  secret  key  when  under  attack. 

When  launched  on  either  the  data  bits  or  the  se¬ 
cret  key,  cryptographic  attacks  are  normally  divided 
into  two  categories,  known-plaintext  (KPT)  attacks  and 
ciphertext-only  (CTO)  attacks.  CTO  attacks  correspond 
to  situations  where  p(X)  is  uniform,  according  to  the 
attacker.  In  other  words,  all  2n  possible  messages  are 
transmitted  with  equal  probability.  A  KPT  attack  corre¬ 
sponds  to  all  situations  where  p(X)  is  nonuniform  includ¬ 
ing  the  totally  degenerate  deterministic  case  of  chosen- 
plaintext.  Some  example  KPT  attacks  include  knowledge 
of  the  native  language  of  the  message  or  perhaps  some 
statistical  knowledge  of  the  message  content.  While  there 
are  clearly  varying  degrees  of  KPT  attacks,  a  CTO  attack 
refers  to  the  specific  case  of  uniform  p(X). 

According  to  information  theory  |l  71.  ll  8j| .  Eqs.  and 
m  satisfy  the  following  inequalities: 

H(X |Ye)  <  H{ K),  (19) 

iJ(K|YE)  <  H( K),  (20) 

where  Eq.  is  known  as  the  Shannon  limit  M  which 
is  valid  when  U(X|YE,  K)  =  0  (our  data-encryption  pro¬ 
tocol  operates  in  a  regime  where  #(X|YE,K)  =  0j23jb 
Note  that  in  ar] ,  contrary  to  the  case  for  key  generation 
[cf.  Eq.  O],  the  condition  Ff(X|YE,K)  >  Ff(X|YB,K) 
need  not  be  satisfied.  In  fact  the  opposite  is  normally 
true  where  an  attacker  (given  the  secret  key  after  mea¬ 
surement)  has  a  lower  bit-error  rate  than  the  legitimate 
receiver.  This  is  the  case  when  a  significant  amount  of 
loss  and/or  additive  noise  exists  between  the  two  users 
where  it  is  assumed  that  the  attacker,  performing  an  ad¬ 
equate  quantum  measurement,  is  located  near  the  trans¬ 
mitter. 

The  one-time  pad  encrypter  achieves  what  Shannon 
called  “perfect  security”  which  corresponds  to  =  iJ(X) 
in  the  inequality  of  Eq.  m  when  s  =  n.  The  practical 


problem  with  the  one-time  pad  is  that  every  data  bit  to 
be  encrypted  requires  one  bit  of  key.  More  “efficient,”  al¬ 
beit  less  secure,  encrypters  operate  in  the  regime  where 
s  <C  n  <  oo,  thereby  allowing  short  secret-keys  to  en¬ 
crypt  long  messages.  A  reasonable  information-theoretic 
goal  of  such  “imperfect  but  efficient”  encrypters  (practi- 


cal  encrypters)  could  be  to  show 

iJ(X  Yb,  K)  — >  0, 

(21) 

ff(X|YE)  =  A!  •  ff(K), 

(22) 

H(K\YE)  =  X2  ■  H(K), 

(23) 

where  s<n<oo  and  Ap2  — >  1.  It  is  extremely  impor¬ 
tant  to  emphasize  that  even  if  Ai,  A2  — >  0,  there  still  may 
exist  a  large  complexity-based  problem  of  finding  the  cor¬ 
rect  x  even  when  given  yE,  p(X),  p( K),  and  E'k(X) — it 
is  in  this  complexity-based  limit  in  which  all  of  today’s 
commercial  deterministic  encrypters  are  considered. 

According  to  the  given  information-theoretic  criteria, 
a  goal  of  practical  data  encrypters  could  be  to  a)  drive 
Ai52  as  close  to  1  as  possible  for  a  reasonably  large  s  while 
still  keeping  s  <C  n  <  00;  b)  attempt  to  mathematically 
prove  Eqs.  (12211  and  11231:  and  c)  if  conditions  (a)  and  (b) 
cannot  be  met,  insure  that  the  computational  (search) 
complexity  is  high  even  when  Ap2  *  H( K)  =  0.  To  date, 
no  practical  data  encrypter  exists  for  which  Eqs.  11221) 
and  (I23ll  can  be  rigorously  proven,  for  nontrivial  A,  when 
under  a  KPT  attack;  no  significant  complexity-based  se¬ 
curity  has  been  proven  either. 

Note  that  the  appropriate  information-theoretic  crite¬ 
ria  by  which  to  quantify  the  security  of  a  data  encrypter 
may  be  different  for  different  sociological  situations.  For 
example,  satisfying  the  criteria  given  in  Eqs.  (1221)  and 
(l23l)  (Ai?2  =  1)  may  yield  security  in  some  situations,  but 
not  in  others.  A  different  set  of  operationally- meaningful 
criteria  for  the  cryptographic  objective  of  data  encryp¬ 
tion,  which  does  not  rely  on  Shannon  entropy,  has  been 
described  in  Ref.  9]. 

Towards  the  goal  of  satisfying  the  cryptographic  ob¬ 
jective  of  data  encryption,  according  to  any  reasonable 
information-theory-based  criteria,  we  offer  a  new  ap¬ 
proach  to  data-encryption  wherein  the  irreducible  uncer¬ 
tainty  inherent  in  the  quantum  measurement  of  coherent 
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states  of  light  is  used  to  perform  high-speed  randomized 
encryption  that  does  not  sacrifice  the  data  rate.  In  our 
protocol  (section  CD,  the  logical  mappings  of  the  sym¬ 
bols  are  interleaved  (Fig.QJ.  While  the  users  (who  share 
a  short  secret-key)  are  able  to  make  simple  binary  deci¬ 
sions  on  the  M- ry  signal  set,  an  attacker  (who  does  not 
share  the  secret  key)  is  left  with  an  irreducible  uncer¬ 
tainty  in  her  measurements  due  to  the  quantum  fluctu¬ 
ations  inherent  to  coherent  states  of  light.  Specifically, 
with  M  and  \a\ 2  in  a  particular  regime,  measurements 
of  neighboring  states,  on  either  the  Poincare  sphere  or 
the  phase  circle,  overlap  and  obscure  one  another.  To  an 
attacker,  this  overlap  is  equivalent  to  Alice  broadcasting 
digital  representations  of  the  M-ry  signal  that  are  then 
actively  randomized  over  the  signal’s  closest  neighbors  in 
the  signal  constellation.  By  using  coherent  states  with 
a  relatively  weak  amplitude,  a  similar  randomization  is 
achieved  through  quantum-measurement  noise  which  re¬ 
quires  no  active  effort  on  the  part  of  the  transmitter, 
but  still  obscures  the  true  identity  of  the  state  called  for 
by  the  protocol.  Such  randomization  is  realized  through 
any  quantum  measurement  including  direct  detection, 
balanced  homo  dyne/ heterodyne  detection,  and  optimal 
quantum-phase  detection. 

Given  some  restrictive  assumptions,  one  can  even  de¬ 
scribe  the  performance  of  a  quantum-mechanically  op¬ 
timal  attack — the  best  attack  allowed  by  quantum  me¬ 
chanics.  While  the  physical  structure  of  such  an  optimal 
attack  may  be  unknown,  quantum  mechanics  can  estab¬ 
lish  bounds  on  the  maximum  information  rate  of  an  at¬ 
tacker.  For  individual  attacks  on  the  message  where  clas¬ 
sical  correlations  are  ignored,  the  quantum-mechanically 
optimal  attack — known  as  the  optimal  positive  operator¬ 
valued  measure — corresponds  to  optimally  distinguish¬ 
ing  ah  of  the  states  mapped  to  logical  one  from  those 
mapped  to  logical  zero.  Figure  |3|  plots  the  information 
rate  of  the  optimal  positive  operator- valued  measure  as 
a  function  of  \a\ 2  and  M  for  the  time-  and  polarization¬ 
mode  implementations  where  information  17j  is  defined 
as  1  +  Pe  log 2(Pe)  +  (1  —  Pe)  log2(l  —  Pe)  for  a  bit-error 
rate  Pe. 

Figure|3|also  plots  the  information  rate  of  the  described 
attack  when  performing  an  ideal  heterodyne  measure¬ 
ment.  The  performance  of  this  measurement  is  included 
because  it  represents  the  “highest  performing”  receiver 
structure  that  an  attacker  could  practically  implement 
using  today’s  technology.  The  difference  between  the  in¬ 
formation  rates  of  the  time-  and  polarization-mode  im¬ 
plementations,  for  both  the  optimal  positive  operator¬ 
valued  measure  and  ideal  heterodyne  attacks,  is  due  to 
the  fact  that  logical  bits  are  defined  differentially  across 
two  modes  in  the  time-mode  scheme — a  bit  is  correctly 
determined  if  and  only  if  two  consecutive  state  measure¬ 
ments  are  both  correct  or  both  incorrect.  It  is  important 
to  remember  that  both  the  optimal  positive  operator¬ 
valued  measure  and  ideal  heterodyne  analyses  are  for  a 
very  limited  attack  where  Eve  does  not  use  her  infor¬ 
mation  on  the  correlations  between  the  running-keys  to 


determine  the  plaintext  or  secret  key — a  real  attacker 
would  presumably  use  ah  information  at  her  disposal. 

While  the  inability  to  distinguish  neighboring  states 
plays  a  role  in  protecting  the  secret  key  against  at¬ 
tacks,  additional  mechanisms  are  required  to  improve 
the  secrecy  of  the  secret  key.  By  introducing  deliber¬ 
ate  state-randomization  at  the  transmitter,  perfect  secu¬ 
rity  against  CTO  attacks  on  the  secret  key  [i^(K|YE)  = 
H( K),  uniform  p(X)]  can  be  assured  as  well  as  strongly- 
ideal  security  against  CTO  attacks  on  the  message 
[JT(X|Ye)  =  H( K),  uniform  p(X)].  More  information 
on  deliberate  state-randomization  is  available  in  Ref.  9] . 
Note  that  the  mapper  and  deliberate  state-randomization 
have  not  yet  been  implemented  in  our  published  experi¬ 
mental  realizations. 

Physical  “trojan  horse”  attacks  can  also  be  launched 
on  the  message  and  the  secret  key  by  attempting  to  probe 
Alice’s  transmitter  settings.  In  such  an  attack,  an  eaves¬ 
dropper  would  send  strong  light  into  Alice’s  transmitter 
and  measure  the  state  of  her  reflected  light.  Attacks  of 
this  type  can  be  passively  thwarted  by  using  an  optical 
isolator  at  the  output  of  Alice’s  transmitter. 

Confusion  over  the  cryptographic  service  that  our  pro¬ 
tocol  (arj)  offers  as  well  as  how  quantum  noise  is  exploited 
in  our  scheme  prompted  a  criticism  [20[  to  Ref.  ITcj 
and  some  of  the  authors  of  Ref.  M  have  replied  |2lj| . 
In  Ref.  HI,  ^  is  claimed  that  the  arj  data-encryption 
protocol,  operating  in  a  regime  where  i^(X|YE,K)  < 
tf(X|YB,K),  already  permits  key  generation.  We  dis¬ 
agree  with  that  conclusion. 

IV.  EXPERIMENTS 

Using  both  the  polarization-  and  time- mode  imple¬ 
mentations,  we  demonstrate  high-speed  quantum- noise- 
protected  data  encryption.  The  primary  objective  of 
these  experiments  is  to  successfully  demonstrate  quan¬ 
tum  data  encryption  through  a  realistic  classical-data 
bearing  WDM  fiber  line.  A  secondary  objective  is  to 
show  that  the  quantum-noise  encrypted  signal  does  not 
negatively  impact  the  performance  of  the  classical  data- 
bearing  channels.  The  following  two  subsections  sum¬ 
marize  the  physical  setups  as  well  as  the  experimental 
results  for  both  implementations. 

A.  Polarization-mode  implementation 

A  description  of  the  polarization-mode  experimental 
setup  naturally  breaks  into  two  parts:  the  quantum- 
noise-protected  data-encryption  transmitter  /  receiver 
pair  and  the  WDM  fiber  line  (which  also  carries  clas¬ 
sical  data  traffic)  over  which  the  encrypted  data  trav¬ 
els.  We  first  describe  the  transmitter /receiver  pair.  As 
illustrated  in  Fig.  @fleft),  a  polarization-control-paddle 
(PCP)  is  adjusted  to  project  the  light  from  a  1550. lnm- 
wavelength  distributed- feedback  (DFB)  laser  equally  into 


6 


o  o 

rb  ° 

1 

10'4 

+- > 
£ 

CD 

b 

.O 

10-8 

,o 

p 

o 

C 

10-12 

10'14 

104 


Average  photon  number  per  mode,  |a|2 


FIG.  3:  Shannon  information  recovered  through  individual  attacks  on  the  message  when  launching  either  the  optimal  pos¬ 
itive  operator-valued  measure  or  an  ideal  heterodyne  measurement  on  the  time-mode  (left)  and  polarization-mode  (right) 
implementations.  Plotted  as  a  function  of  |o|2,  for  several  values  of  M. 


the  two  polarization  modes  of  Alice’s  lOGHz-bandwidth 
fiber-coupled  LiNbOs  phase  modulator  (PM).  Driven  by 
the  amplified  output  of  a  12-bit  digital-to- analog  (D-A) 
board,  the  modulator  introduces  a  relative  phase  (0  to 
27 r  radians)  between  the  two  polarization  modes.  A  soft¬ 
ware  LFSR,  which  is  implemented  on  a  personal  com¬ 
puter  (PC),  yields  a  running- key  that,  when  combined 
with  the  data  bit,  instructs  the  generation  of  one  of  the 
two  states  described  in  Eqs.  CD  and  ©•  Due  to  elec¬ 
tronic  bandwidth  limitations  of  some  amplifiers,  Manch¬ 
ester  coding  is  applied  on  top  of  the  signal  set  that  results 
in  a  factor  of  two  reduction  of  the  data  rate  (250Mbps) 
relative  to  the  line  rate  (500Mbps).  Note  that  in  the 
time-mode  implementation,  described  in  Sec.  uvrn  such 
Manchester  coding  is  not  required  due  to  the  use  of  wider 
bandwidth  amplifiers. 

On  passing  through  the  lOOkm-long  WDM  fiber  line 
[shown  in  Fig.  fright),  Crypto,  in  and  Crypto.  out\ , 
the  received  light  is  amplified  by  a  home-built  erbium- 
doped-fiber  amplifier  (EDFA)  with  ~  30dB  of  small- 
signal  gain  and  a  noise  figure  very  close  to  the  quantum 
limit  (NF  ~  3dB).  Before  passing  through  Bob’s  PM, 
the  received  light  is  sent  through  a  second  PCP  to  can¬ 
cel  out  the  unwanted  polarization  rotation  that  occurs  in 
the  lOOkm-long  fiber  line.  While  these  rotations  fluctu¬ 
ate  with  a  bandwidth  on  the  order  of  kilohertz,  the  mag¬ 
nitude  of  the  fluctuations  drops  quickly  with  frequency, 
allowing  the  use  of  a  manual  PCP  to  track  out  such  un¬ 
wanted  polarization  rotations.  In  future  implementations 
Bob’s  measurements  could  be  used  to  drive  an  automated 
feedback  control  on  the  PCP. 

The  relative  phase  shift  (polarization  rotation)  intro¬ 
duced  by  Bob’s  modulator  is  determined  by  the  running- 
key  R  generated  through  a  software  LFSR  in  Bob’s  PC 
and  applied  via  the  amplified  output  of  a  second  D-A 
board.  After  this  phase  shift  has  been  applied,  the  rela¬ 
tive  phase  between  the  two  polarization  modes  is  0  or  7r, 
corresponding  to  a  0  or  1  according  to  the  running-key: 


if  R  is  even  then  (0, 7r)  — >  (0,1)  and  if  R  is  odd  then 
(0, 7r)  — >  (1,0).  With  use  of  a  fiber-coupled  polarization 
beam  splitter  (FPBS)  oriented  at  7t/4  radians  with  re¬ 
spect  to  the  modulator’s  principal  axes,  the  state  under 
measurement  [Eq.  @  or  (IIP))]  is  direct-detected  by  using 
two  lGHz-bandwidth  InGaAs  PIN  photodiodes  operat¬ 
ing  at  room  temperature,  one  for  each  of  the  two  polar¬ 
ization  modes.  The  resulting  photocurrents  are  amplified 
by  a  40dB-gain  amplifier,  sampled  by  an  analog-to-digital 
(A-D)  board,  and  stored  for  analysis.  The  overall  sensi¬ 
tivity  of  Bob’s  preamplified  receiver  is  measured  to  be 
660  photons/bit  for  10-9  error  probability. 

As  shown  in  Fig.  fright),  the  100km- long  WDM 
line  consists  of  two  40-channel  lOOGHz-spacing  arrayed- 
waveguide  gratings  (AWGs),  two  50km  spools  of  single¬ 
mode  fiber  (Corning,  SMF-28),  and  an  in-line  EDFA 
with  an  output  isolator.  Along  with  the  quantum- noise 
protected  0.25Gbps  encrypted-data  channel,  two  lOGbps 
channels  of  classical  data  traffic  also  propagate  through 
the  described  WDM  line.  Light  from  two  DFB  lasers  on 
the  100GHz  ITU  grid  (1546. 9nm  and  1553. 3nm)  is  mixed 
on  a  3dB  coupler,  where  one  output  is  terminated  and 
the  other  enters  a  lOGHz-bandwidth  fiber-coupled  Mach- 
Zender  type  LiNbOs  intensity  modulator  (IM).  The  IM 
is  driven  by  an  amplified  lOGbps  pseudo-random  bit 
sequence  (PRBS)  generated  by  a  pattern  generator  of 
(231— 1)  period.  The  PRBS  modulated-channels  (here¬ 
after  referred  to  as  PRBS  channels)  then  pass  through 
an  EDFA  to  compensate  for  losses  before  entering,  and 
being  spectrally  separated  by  AWG1.  By  introducing  ap¬ 
proximately  one  meter  fiber  length  difference  between  the 
separated  PRBS  channels  before  combining  them  into  the 
100km- long  WDM  line  with  AWG2,  the  bit  sequences  of 
the  two  channels  are  shifted  by  50  bits.  This  shift  reduces 
temporal  correlations  between  the  two  PRBS  channels, 
thereby  more  effectively  simulating  random,  real-world 
data  traffic.  The  lOOkm-long  WDM  line  is  loss  compen¬ 
sated  by  an  in-line  EDFA.  The  lOdB  power  loss  in  the 
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FIG.  4:  Left,  transmitter /receiver  setup:  Gl,  RF  power  amplifier;  OA1,  low-noise  EDFA  followed  by  a  Bragg-grating  filter; 
G2,  RF  signal  amplifier.  Right,  WDM  network  setup:  OA1,  low-noise  EDFA;  G3,  IM  driver;  OA2,  in-line  EDFA  followed  by 
an  optical  isolator;  OA3,  EDFA. 


first  50km  spool  of  fiber  (0.2dB/km  loss)  is  compensated 
by  lOdB  of  saturated  gain  from  the  in-line  EDFA.  The 
overall  loss  of  the  line  is  therefore  15dB,  where  lOdB  come 
from  the  second  50km  spool  of  fiber  and  the  remaining 
5dB  from  the  two  AWGs  (2.5dB  each). 

After  propagating  through  the  WDM  line  the  chan¬ 
nels  are  separated  by  AWG3.  Either  of  the  two  PRBS 
channels  is  amplified  with  a  20dB  gain  EDFA  (OA3)  and 
the  group-velocity-dispersion  (GVD)  is  compensated  by 
a  —  1530ps/nm  dispersion-compensation  module  (DCM). 
While  the  GVD  introduced  in  the  WDM  line  is  ap¬ 
proximately  1700ps/nm,  the  DCM  used  is  sufficient  for 
our  demonstration.  The  amplified,  GVD-compensated 
PRBS  channel  is  detected  using  an  InGaAs  PIN-TIA  re¬ 
ceiver  (RCVR)  and  analyzed  for  errors  by  a  lOGbps  bit¬ 
error-rate  tester  (BERT).  Bit-error  rates  for  each  PRBS 
channel  are  measured  separately  using  the  BERT. 

Figure  (Sfa)(left)  shows  the  optical  spectrum  of  the 
light  after  AWG2  measured  with  O.Olnm  resolution  band¬ 
width.  The  launch  powers  in  the  quantum  channel  and 
in  each  of  the  PRBS  channels  are  —  25dBm  and  2dBm, 
respectively.  An  eye  pattern  of  the  1546. 9nm  PRBS  chan¬ 
nel  at  launch  is  shown  in  Fig. 0a) (right).  Measuring  af¬ 
ter  AWG2  (i.e.,  at  launch),  neither  PRBS  channel  showed 
any  error  in  10  terabits  of  pseudo-random  data  commu¬ 
nicated.  Figure  Etb)  (left)  shows  the  optical  spectrum 
(O.Olnm  resolution  bandwidth)  of  the  light  received  af¬ 
ter  the  second  50km  spool  of  fiber.  This  figure  clearly 
shows  the  lOdB  loss  in  signal  power  of  all  the  channels 
and  the  accompanying  lOdB  increase  in  the  amplified- 
spontaneous-emission  dominated  noise  floor.  An  eye  pat¬ 
tern  of  the  1546. 9nm  PRBS  channel,  post  dispersion  com¬ 
pensation,  is  shown  in  Fig.  Ob) (right).  While  the  effect 
of  the  residual  GVD  is  clearly  visible  in  the  eye  pattern, 
the  bit-error  rate  for  each  of  the  PRBS  channels  remains 
nearly  “error  free”  at  5  x  10-11.  Neither  the  bit-error 
rates  nor  the  eye  patterns  of  the  PRBS  channels  change 
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FIG.  5:  (a):  Optical  spectrum  (left)  and  eye  pattern  (right)  of 
a  PRBS  channel  at  launch  [after  AWG2  in  Fig. ET right)],  (b): 
Optical  spectrum  (left)  and  eye  pattern  (right)  of  a  PRBS 
channel  at  the  end  of  the  line  [before  AWG3  in  Fig.  HTrighti]. 


when  the  quantum  channel  is  turned  off. 

Figure 0  shows  results  of  5000  A-D  measurements  (one 
of  the  two  detector  outputs)  of  a  9.1Mb  bitmap  file  trans¬ 
mitted  on  the  encrypted  channel  from  Alice  to  Bob  (top) 
and  to  Eve  (bottom)  through  the  lOOkm-long  WDM  line 
at  250Mbps  data  rate.  The  insets  show  the  respective 
decoded  images.  In  this  experiment,  actions  of  Eve  are 
physically  simulated  by  Bob  starting  with  an  incorrect 
secret-key.  Clearly,  a  real  eavesdropper  would  aim  to 
make  better  measurements  by  placing  herself  close  to  Al¬ 
ice  and  implementing  a  more  optimized  quantum  mea¬ 
surement.  While  Fig.  0  does  not  explicitly  demonstrate 
Eve’s  inability  to  distinguish  logical  ones  from  zeros,  it 
does,  show  that  a  simple  bit  decision  is  impossible.  In  the 
current  setup,  the  12-bit  D-A  conversion  allows  Alice  to 
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FIG.  6:  5-kbit  segments  of  9.1-Mbit  transmissions  through 
the  WDM  link.  Insets,  the  received  bit-map  images.  Top, 
Bob’s  detection;  bottom,  Eve’s  detection. 


generate  and  transmit  4094  distinct  polarization  states 
(M  =  2047  bases).  The  numerical  calculation  used  to 
plot  Fig.  fright)  then  shows  that  for  —  25dBm  launch 
power  at  250Mbps  (500Mbps  line  rate,  \a\ 2  ~  20,000) 
and  M  =  2047,  Eve’s  maximum  obtainable  information 
in  an  individual  attack  on  the  message  is  less  than  10“ 14 
bits/bit. 

B.  Time- mode  implementation 

While  technically  possible,  as  demonstrated  above,  the 
polarization-state  alignment  required  at  the  receiver  by 
the  polarization-mode  scheme  makes  it  much  less  attrac¬ 
tive  than  a  polarization-insensitive  version  with  equiva¬ 
lent  performance.  The  time-mode  implementation  is  to¬ 
tally  polarization- state  insensitive  and  is  therefore  much 
more  desirable  for  performing  quantum-noise-protected 
data  encryption  over  real-world  WDM  networks. 

As  with  the  polarization-mode  implementation,  a  de¬ 
scription  of  the  time-mode  experimental  setup  naturally 
breaks  into  two  parts:  the  transmitter /receiver  pair  and 
the  WDM  fiber  line.  We  first  describe  the  transmit¬ 
ter/receiver  pair.  As  illustrated  in  Fig. deleft),  — 25dBm 
of  power  from  a  1550.9nm-wavelength  DFB  laser  is  pro¬ 
jected  into  Alice’s  lOGHz-bandwidth  fiber-coupled  PM. 
Driven  by  the  amplified  output  of  a  12-bit  D-A  board, 
the  modulator  introduces  a  relative  phase  (0  to  2tt  radi¬ 
ans)  between  temporally  neighboring  symbols.  A  4.4-kb 
software  LFSR,  which  is  implemented  on  a  PC,  yields  a 
running- key  that,  when  combined  with  the  data  bit,  in¬ 
structs  the  generation  of  one  of  the  two  states  described 
in  Eqs.  ©  and  0  at  a  650Mbps  data  rate.  Before  leav¬ 
ing  the  transmitter,  the  encrypted  signal  is  amplified  with 


an  EDFA  (OA1)  to  a  saturated  output  power  of  2dBm. 

On  passing  through  the  200km-long  WDM  line  [shown 
in  Fig.  Enright),  Crypto,  in  and  Crypto,  out ),  the 
received  light  is  amplified  by  another  EDFA  (OA2) 
with  ~  30dB  of  small-signal  gain  and  a  noise  figure 
very  close  to  the  quantum  limit  (NF  ~  3dB).  The 
light  then  passes  through  a  pair  of  lOGHz-bandwidth 
polarization-maintaining-fiber-coupled  PMs  oriented  or¬ 
thogonally  with  respect  to  each  other  so  that  the  x  (y) 
polarization  mode  of  the  first  modulator  projects  onto 
the  y  (x)  mode  of  the  second  modulator.  The  effect  of 
such  concatenation  is  to  apply  an  optical  phase  modula¬ 
tion  that  is  independent  of  the  polarization  state  of  the 
incoming  light.  The  relative  phase  shift  introduced  by 
Bob’s  modulator  pair  is  determined  by  the  running- key 
R  generated  through  a  software  LFSR  in  Bob’s  PC  and 
applied  via  the  amplified  output  of  a  second  D-A  board. 
After  this  phase  shift  has  been  applied,  the  relative  phase 
between  temporally  neighboring  states  is  0  or  7 r  (differ¬ 
ential  phase-shift  keying),  differentially  corresponding  to 
a  0  or  1. 

The  decrypted  signal  then  passes  through  a  fiber- 
coupled  optical  circulator  and  into  a  temporally  asym¬ 
metric  Michelson  interferometer  with  one  bit-period 
round-trip  path- length  delay  between  the  two  arms.  Use 
of  Faraday  mirrors  (FM)  in  the  Michelson  interferome¬ 
ter  ensures  good  polarization- state  overlap  at  the  output, 
yielding  high  visibility  interference.  The  interferometer 
is  path  length  stabilized  with  a  PZT  and  dither- lock  cir¬ 
cuit. 

Light  from  the  two  outputs  of  the  interferometer  is 
direct-detected  by  using  two  room  temperature  1GHz- 
bandwidth  InGaAs  PIN  photodiodes  set  up  in  a  dif¬ 
ference  photocurrent  configuration.  The  resulting  pho¬ 
tocurrent  is  either  sampled  by  an  A-D  board  and  stored 
for  analysis,  or  put  onto  a  communications  signal  ana¬ 
lyzer  (CSA)  to  observe  eye  patterns. 

As  shown  in  Fig.  Efright),  the  200km- long  WDM  line 
consists  of  two  lOOGHz-spacing  AWGs,  two  100km  spools 
of  single-mode  fiber  (Corning,  SMF-28)  and  an  in-line 
EDFA  with  an  input  isolator.  Along  with  the  quantum- 
noise  protected  650Mbps  encrypted-data  channel,  two 
lOGbps  channels  of  classical  data  traffic  also  propagate 
through  the  first  100km  of  the  described  WDM  line. 
Light  from  two  DFB  lasers  with  wavelengths  on  the 
100GHz  ITU  grid  (1550. lnm  and  1551. 7nm)  is  mixed 
on  a  3dB  coupler,  where  one  output  is  terminated  and 
the  other  enters  a  lOGHz-bandwidth  fiber-coupled  Mach- 
Zender  type  LiNbCU  intensity  modulator  (IM).  The  IM  is 
driven  by  an  amplified  lOGbps  PRBS  generated  by  a  bit¬ 
error-rate  tester  (BERT)  of  (231— 1)  period.  The  PRBS- 
modulated  channels  (hereafter  referred  to  as  PRBS  chan¬ 
nels)  then  pass  through  an  EDFA  to  compensate  for 
losses  before  entering  and  being  spectrally  separated 
by  AWG1.  Partial  decorrelation  of  the  PRBS  chan¬ 
nels  is  achieved  by  introducing  approximately  one  me¬ 
ter  fiber  length  difference  (^50  bits)  between  the  chan¬ 
nels  before  combining  them  into  the  WDM  line  with 
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FIG.  7:  Left:  Transmitter/receiver  setup.  Gl,  RF  power  amplifier;  OA2,  low-noise  EDFA  followed  by  a  25GHz-passband 
Bragg-grating  filter;  PMF,  polarization-maintaining  fiber;  Circ.,  optical  circulator.  Right:  200km  in-line  amplified  line.  IM, 
lOGbps  intensity  modulator;  DCM,  dispersion-compensation  module;  RCVR,  lOGbps  InGaAs  PIN-TIA  optical  receiver;  G2, 
lOGbps  modulator  driver 


AWG2.  On  launch  (i.e.,  after  AWG2),  the  optical  power 
is  — 2dBm/channel  for  all  three  channels. 

After  propagating  through  the  first  100km  of  fiber 
(20dB  of  loss)  and  the  in-line  EDFA  (23dB  of  gain), 
the  channels  are  separated  by  AWG3  (3dB  of  loss).  Ei¬ 
ther  of  the  two  PRBS  channels  is  amplified  with  a  lOdB 
gain  EDFA  and  the  GVD  is  partially  compensated  by 
a  —  1530ps/nm  DCM.  The  amplified,  GVD-compensated 
PRBS  channel  is  detected  using  an  InGaAs  PIN-TIA  re¬ 
ceiver  (RCVR)  and  analyzed  for  errors  by  the  BERT. 
Note  that  the  reason  that  the  PRBS  channels  do  not 
propagate  through  the  entire  200km  line  is  because  our 
DCM  only  provides  enough  compensation  for  100km  of 
fiber.  Figure  a)  (left)  shows  the  optical  spectrum  of 
the  light  measured  after  AWG2  with  O.Olnm  resolution 
bandwidth.  The  launch  power  in  the  quantum  chan¬ 
nel  and  in  each  of  the  PRBS  channels  is  —  1.5dBm.  An 
eye  pattern  of  the  1550. lnm  PRBS  channel  at  launch  is 
shown  in  Fig. |H{a) (right).  Measuring  after  AWG2  (i.e.,  at 
launch),  neither  PRBS  channel  showed  any  errors  in  10 
terabits  of  pseudo-random  data  communicated.  Figure 
[H{b)(left)  shows  the  optical  spectrum  (O.Olnm  resolution 
bandwidth)  of  the  light  received  after  the  in-line  ampli¬ 
fier  (100km  of  fiber).  An  eye  pattern  of  the  1550. lnm 
PRBS  channel,  post  dispersion  compensation,  is  shown  in 
Fig. |E{b) (right).  As  in  the  polarization- mode  implemen¬ 
tation,  the  bit-error  rate  for  each  of  the  PRBS  channels 
remained  nearly  “error  free”  at  5  x  10-11  despite  the  in¬ 
complete  GVD  compensation.  Neither  the  bit-error  rates 
nor  the  eye  patterns  of  the  PRBS  channels  changed  when 
the  quantum  channel  was  turned  off. 

Figure 0 shows  the  eye  patterns  for  encrypted  650Mbps 
(215  —  l)-bit-PRBS  and  IMb-bit map-file  transmissions 
(insets)  as  measured  by  Bob  (top)  and  Eve  (bottom). 
In  these  experiments,  Bob  is  located  at  the  end  of  the 
200km-long  line  and  Eve  is  located  at  the  transmitter 
(Alice).  Eve’s  actions  are  physically  simulated  by  using 
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FIG.  8:  (a):  Optical  spectrum  (left)  and  eye  pattern  of  a 
PRBS  channel  (right)  at  launch  [after  AWG2  in  Fig. [7J right)], 
(b):  Optical  spectrum  (left)  and  eye  pattern  of  a  PRBS 
channel  (right)  after  in-line  amplification  [before  AWG3  in 
Fig.  Qright)]. 


Bob’s  hardware,  but  starting  with  an  incorrect  secret- 
key.  While  Fig.  ^bottom)  does  not  explicitly  demon¬ 
strate  Eve’s  inability  to  distinguish  neighboring  coherent 
states  on  the  phase  circle,  it  does,  however,  show  that  a 
simple  bit  decision  is  impossible.  The  Q-factor  for  Bob’s 
eye  pattern,  as  measured  on  the  CSA,  was  12.3. 

In  all  of  the  time- mode  implementation  experiments, 
the  coherent  states  are  transmitted  using  non-return-to- 
zero  (NRZ)  format.  The  return-to-zero-like  appearance 
of  Bob’s  eye  pattern  is  due  to  non-zero  rise  time  of  the 
optical  phase  modulation.  This  phenomena  is  also  ob¬ 
served  in  traditional  NRZ-DPSK  systems.  The  apparent 
banding  of  Eve’s  measurements  at  the  top  and  bottom 
of  the  eye  pattern  is  due  to  the  sinusoidal  transfer  func¬ 
tion  of  the  temporally  asymmetric  interferometer  used  for 
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FIG.  9:  Top:  Eye  pattern  and  histogram  of  Bob’s  decrypted 
signal  after  200km  propagation  in  the  WDM  line.  Bottom: 
Eye  pattern  and  histogram  of  Eve’s  measurements  at  the 
transmitter.  Insets,  received  1Mb  bitmap  file  transmissions. 


demodulation.  Despite  this  apparent  banding,  the  eaves¬ 
dropper’s  probability  of  error  is  equal  for  every  transmit¬ 
ted  bit.  If  an  eavesdropper  were  to,  say,  perform  optical 
heterodyne  detection,  a  uniform  distribution  of  phases 
would  be  observed. 

In  the  current  setup,  the  12-bit  D-A  conversion  al¬ 
lows  Alice  to  generate  and  transmit  4094  distinct  phase 
states  (M  =  2047  bases).  Although  we  simulate  an  eaves¬ 
dropper  by  placing  Bob’s  equipment  at  the  transmitter, 
a  real  eavesdropper  would  aim  to  make  the  best  mea¬ 
surements  allowed  by  quantum  mechanics  (just  as  in  the 
polarization- mode  implementation).  The  numerical  cal¬ 
culation  used  to  plot  Fig.  OH  left)  shows  that  for  —  25dBm 
signal  power  at  650Mbps  (~  40,000  photons/bit)  with 
M  =  2047,  Eve’s  maximum  obtainable  information  in 
an  individual  attack  on  the  message  would  be  less  than 
10-15  bits/bit. 


V.  DISCUSSION  AND  SUMMARY 


In  summary,  we  have  developed  schemes  towards 
the  cryptographic  objective  of  practical  data  encryp¬ 
tion  by  using  the  fundamental  and  irreducible  quantum- 
measurement  uncertainty  of  coherent  states.  Unlike  cur¬ 
rently  deployed  deterministic  encrypters  whose  security 
relies  solely  on  unproven  computational  complexity,  we 
offer  a  new  quantum-mechanical  vehicle  to  quantifiable 
information-theoretic  security  through  high-speed  ran¬ 
domized  encryption.  Furthermore,  we  have  clearly  speci¬ 
fied  a  set  of  security  criteria  for  the  cryptographic  service 
of  data  encryption  (which  are  different  from  those  for 
key  generation)  and  considered  some  optimal  quantum 
attacks  on  our  scheme.  While  we  have  yet  to  explicitly 
determine  the  level  of  information-theoretic  security  pro¬ 
vided  by  our  scheme  under  a  general  attack  (which  may 
correspond  to  finding  Ai,  A2),  our  scheme  does  provide  a 
physical  layer  of  quantum-noise  randomization  that  can 
only  enhance  the  security  of  a  message  already  encrypted 
with  a  traditional  deterministic  cipher. 

Experimentally,  we  have  implemented  and  demon¬ 
strated  two  high-speed  versions  of  the  ar\  data-encryption 
protocol  using  both  polarization  and  time  modes,  and 
evaluated  the  schemes’  performances  through  active 
WDM  lines.  Whereas  the  polarization- mode  experiments 
have  demonstrated  the  efficacy  of  the  data-encryption 
protocol,  the  polarization  independent  time-mode  exper¬ 
iments  have  demonstrated  a  technology  that  is  “drop-in” 
compatible  with  the  existing  optical  telecommunications 
infrastructure. 
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